jim reavis, ceo june 2017 - cloud security alliance · servers are dead, virtual servers are dying,...
TRANSCRIPT
www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Jim Reavis, CEO
June 2017
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Global, not-for-profit organization
Building security best practices for next generation IT
Research and Educational Programs
Cloud Provider Certification – CSA STAR
User Certification - CCSK
The globally authoritative source for Trust in the
Cloud
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Get out of the datacenter business, focus on
the core business
Accelerate time to market for products One line of code creates a datacenter!
Leverage leading edge technology Software is eating the world, Developers are the mouth!
Greater comfortable with “Tier 1” cloud provider
security
The question is not “if”, but “how much, how
soon?”
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Regulatory & compliance concerns
Data protection & data sovereignty
Loss of control
Performance and uptime
Fear of being tied into one provider
Security, particularly for lesser known cloud
entities
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Cloud as a layered model (eg OSI)
SaaS has implicit IaaS & PaaS layers
Market impacts architecture
Businesses occupy individual layers (e.g.
cloud brokers)
Layers of abstraction emerge
Innovation/optimization in layers
Everything becomes virtualized CSA Cloud Reference Model
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Phenomenal Growth Amazon AWS 55% YoY, $11B+ business
Public Cloud 44% YoY 2014-2019 (Cisco)
Private Cloud 17% YoY 2014-2019 (Cisco)
Most heavily used IaaS services: virtual
machine computing & storage
Major IaaS players tend to be PaaS leaders AWS, Azure, Heroku & Force.com (Salesforce), Google
App Engine
Enterprise “Cloud First” policy common
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Public cloud surpassing private cloud
Servers are dead, virtual servers are dying,
long live services and microservices!
Microsegmentation, Software-defined
everything
APIs everywhere
Automation, DevOps & DevSecOps changing
how security implemented
“Born in the cloud” security companies
High growth expected to continue
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
IaaS
PaaS
SaaS
!
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Cloud is global, nations and industries enforce localized requirements
Need to harmonize & normalize control objectives for global players
Data sovereignty treated as a physical issue in a virtual world
Enterprises pushing to approve new apps in days and HOURS!
Continuous auditing/monitoring needs to address security “between audits”
Audit scopes change in multi-cloud
SaaS providers within large IaaS clouds should “inherit” underlying controls
Customers must be assured the “entire stack” is secure
Innovation, Automation & Transparency create tremendous opportunities
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Cloud specific risk considerations
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
7. APTs
8. Data Loss
9. Due Diligence
10. Nefarious Use and
Abuse
11. Denial of Service
12. Shared Technology
Issues
1. Data Breaches
2. Compromised
Credentials and IAM
3. Insecure APIs
4. System and App
Vulnerabilities
5. Account Hijacking
6. Malicious Insiders
https://cloudsecurityalliance.org/group/top-threats/
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
In all clouds it is a shared responsibility
IaaS is a greater responsibility for the customer to harden the service
Provider is responsible for implementing most security in SaaS
Identity & data governance may still be in the tenant’s realm
Customer has the ultimate responsibility for security assurance
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Visibility into cloud usage today and plans for tomorrow
Data security: think about the entire data lifecycle and
address security in all phases
Strong Identity & Access Management strategy
Gentle policing: encourage secure cloud options to insecure
cloud choices
Due diligence with your providers
Have an intermediary strategy
Fill the Education Gap – gain cloud security expertise today
and start addressing “next generation” trends
“Cloudify” information security – Virtual, Agile, Automation,
Service-oriented vs Appliance-centric
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Tools for your secure cloud
journey
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Certificate of Cloud Security Knowledge (CCSK)
Most valuable IT certification 2016 – Certification Magazine
Benchmark of cloud security competency
Based on CSA guidance
Online web-based examination
www.cloudsecurityalliance.org/education/ccsk/
Also partnered with (ISC)2 on complementary CCSP
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Level 1 STAR Self-Assessment
Public Registry of Cloud Provider self assessments based on CSA standards
Level 2 STAR 3rd Party Audits
STAR Certification: Integrates ISO/IEC 27001:2013
STAR Attestation: Based upon Type 2 SOC
CSA SaaS Tool: STARWatch
Ask for provider’s STAR entry
If unavailable, ask provider to fill out CSA’s Cloud Controls Matrix or Consensus Assessments Initiative Questionnaire
www.cloudsecurityalliance.org/research/ccm
www.cloudsecurityalliance.org/research/cai
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
CSA STAR (Security, Trust and Assurance Registry), 3 Level Provider Certification Program
Managed by CSA in partnership with world leading ISO certification bodies and audit firms
Adopted Worldwide by Providers, Enterprises and Governments
Promotes Transparency within Cloud Ecosystem
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
First ever baseline control framework specifically designed for Cloud supply chain risk management:
Delineates control ownership (Provider, Customer)
Ranks applicability to cloud provider type (SaaS vs PaaS vs IaaS)
An anchor for security and compliance posture measurement
Provides a framework of 16 control domains
Controls map to global regulations and security standards: e.g. NIST, ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP – mappings growing virally
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Companion to CSA Cloud Controls Matrix (CCM)
Series of Yes/No/NA questions used to assess compliance with CCM
Narrative may be included for each question to explain why the particular answer is given
Helps organizations build assessment processes for cloud providers
Helps cloud providers assess their own security posture
Core team that originally built this were from the financial services industry
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Guidance V4
Global Enterprise Advisory Board
Software Defined Perimeter
Security as a Service
Big Data
Internet of Things
Privacy Level Agreement
Incident Response / Threat Intelligence
SaaS Governance
Financial Services
Other
https://cloudsecurityalliance.org/research
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Jim’s overly simplified view of the
future
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
World Population
Internet connected devices
We are in here
currently
Thousands of
computers per
human
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Cloud computing is the back end
Internet of Things is the endpoint
Compute is Everywhere …
But, you won’t know where
Anything is
Applications, topologies, security
configurations in constant state of
change
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Self Driving Information Security: moving
humans to the (high value & strategic)
periphery
Automation
AI/Machine learning
Continuous
Analytics
Software defined everything
Standards
Trust marks
Inherited security
Blockchain
Quantum
etc
…plus the technology we
already depend on
Peopl
e
Other stuff
Peopl
e
Now
Soon
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Blockchain
Containers, micro services
Internet of Things
DevSecOps: DevOps applied to
security
Analytics
Autonomous computing
Artificial Intelligence
Quantum-Safe Computing https://cloudsecurityalliance.org/research
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Summary
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
Cloud is the future of IT and a competitive advantage today
Awareness, Opportunism, Strategy in cloud adoption Understand Cloud and the wide variety of providers on the market
Learn how to protect your data
Make your organization cloud ready
Due diligence with your providers
Understand how software development is different in cloud
Understand how cloud is changing security best practices
Track emerging trends
Education is a key gap to address
Tier 1 providers are better at security than you, so know who you are
in a relationship with
Lots of free tools and research to make your transition easier
CSA is here to answer your questions
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance
WWW
www.cloudsecurityalliance.org
@cloudsa
www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance